Ongoing malware attack targeting Apache hijacks 20,000 sites

There is more detailed information available under a few of the links in the article.<p>Information about what an infection looks like, the attack method, etc: <a href="http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html" rel="nofollow">http://malwaremustdie.blogspot.com/2013/03/the-evil-came-bac...</a><p>From skimming the article, it sounds like it attacks control panels (mostly Plesk?) and possibly WordPress for remote shell, then does some sort of local privilege escalation. It then adds a module to Apache or Nginx which injects malware into served web pages under certain conditions.<p>More information about distribution: <a href="http://nakedsecurity.sophos.com/2013/03/05/rogue-apache-modules-iframe-blackhole-exploit-kit/" rel="nofollow">http://nakedsecurity.sophos.com/2013/03/05/rogue-apache-modu...</a>

It is interesting that the malware hijacks ssh as well. This make me think that RHEL's approach to confining services using SELinux is a good idea, although it is possible that this malware also exploits some weakness there.

It's interesting how malware is evolving just like real parasitic organisms. Those that drain host resources too quickly or noticably don't survive. Killing the host kills you too. Here is parasitic software that largely doesn't bother the host, and thus is able to survive and spread more effectively.

Just have a look at your server's /var/log/auth.log file. I see hundreds of intrusion attempts every day. (not running Apache)

One of my servers has Webmin on it, which I rarely use. I'm not sure if deleting it would break anything on the backend so if I were to block the port it uses with SELinux, would that pretty much alleviate the problem until I was sure that removing it would not break anything?<p>I've already checked the server for any rogue Apache modules and nothing appears out of place.<p>Never mind. There is a stop script.

Does anyone have any hard facts about this? eg. Versions of Apache that are vulnerable, which extensions, CVE numbers?

There is an additional good information posted in the Cisco Blog today, the comments part explains good info's: <a href="http://blogs.cisco.com/security/apache-darkleech-compromises/" rel="nofollow">http://blogs.cisco.com/security/apache-darkleech-compromises...</a>